The principle of accountability

The General Data Protection Regulation (GDPR) introduces a new principle to data protection rules in Europe: that of accountability. The GDPR requires that the controller is responsible for making sure all privacy principles are adhered to. Moreover, the GDPR requires that your organisation can demonstrate compliance with all the principles. So, which steps should your organisation take to build such a culture and to be able to demonstrate accountability?

Firstly, the organisation must know what principles need to be adhered to. There are six principles set out in the GDPR. These are the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. One of the best ways to make sure these principles are adhered to is to make sure your internal privacy governance structure is set up correctly and comprehensively.

The ways to incorporate these principles are woven in throughout the GDPR. For instance, the GDPR states your organisation is required to deploy appropriate technical and organisational measures as laid out in the GDPR. Some (new) measures mentioned in the GDPR are: documented processes/policies, data protection impact assessments (DPIA), suggested data security methods, data protection by design and by default, a mandatory data protection officer (DPO) for large scale personal data processing, and keeping records of your processing activities. Special attention is given to (industry) code of conducts and self-certification, data breach notification and transparency requirements.

A culture and organisational change

A strong governance structure is essential to standardise privacy and develop privacy by design and default. To create a cultural and organisational change for GDPR compliance within your organisation, buy-in from stakeholders is of significant importance. By developing internal guidelines for employees, compliance with legal obligations for data processing and securing data can be ensured. Incorporate training and awareness programs for everyone who is going to be involved in the processing of personal data. Your organisation can also consider subscribing to an industry code of conduct or creating internal guidelines and a review process for data analytics.

Subscribing to an industry code of conduct can demonstrate compliance, especially when the certifications are issued by the certification bodies. These mechanisms are not obligatory under the GDPR, but are highly recommended. Developing your own ethical standards with respect to processing personal data, may further enhance your accountability efforts. The risks of new initiatives are weighed against possible benefits. Questions like ‘can we legally do this?’ should be complemented by ‘do we want to do this and how will it be perceived by our customers?’ to safeguard the ethical use of the data.

Furthermore the GDPR obligates your organisation to maintain an internal record of all your processing activities. Your organisation is, among others things, required to record the purposes of the processing and a description of technical and organisational security measures.

New in the GDPR is the requirement to designate a Data Privacy Officer (DPO) within your organisation. Although the requirement is only mandatory in certain circumstances, a DPO can monitor the activities of your organisation and the processing activities to help you become compliant with the GDPR.

Conclusion

Under the GDPR, the principle of accountability becomes more important. Your organisation is not only required to adhere to the principles set out in the GDPR, but must also demonstrate compliance. To live up to the principle of accountability a comprehensive governance structure is necessary. Adhering to the principle of accountability means a cultural and organisational shift in your organisation. With the help of strong technical and organisational measures your organisation can demonstrate compliance with the GDPR.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/de/about to learn more about our global network of member firms.